From a32ecc15aec6518f5a126fb8f3643e563327f74d Mon Sep 17 00:00:00 2001
From: Ebrahim Byagowi <ebrahim@gnu.org>
Date: Sat, 11 Jan 2020 15:37:24 +0330
Subject: [PATCH] Fix collect lookups logic of FeatureVariationRecord

As "Offset to a feature table substitution table, from beginning of the FeatureVariations table."
from https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2 the record should
match its sanitize logic not the reverse way.

Fixes https://crbug.com/oss-fuzz/20021 and https://crbug.com/oss-fuzz/20022
---
 src/hb-ot-layout-common.hh                         |   7 ++++---
 ...ase-minimized-hb-subset-fuzzer-5167653459329024 | Bin 0 -> 46 bytes
 ...ase-minimized-hb-subset-fuzzer-5642531954229248 | Bin 0 -> 46 bytes
 3 files changed, 4 insertions(+), 3 deletions(-)
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5167653459329024
 create mode 100644 test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5642531954229248

diff --git a/src/hb-ot-layout-common.hh b/src/hb-ot-layout-common.hh
index c85c5a3a4..af394b5b7 100644
--- a/src/hb-ot-layout-common.hh
+++ b/src/hb-ot-layout-common.hh
@@ -2363,10 +2363,11 @@ struct FeatureVariationRecord
 {
   friend struct FeatureVariations;
 
-  void collect_lookups (const hb_set_t *feature_indexes,
+  void collect_lookups (const void     *base,
+			const hb_set_t *feature_indexes,
 			hb_set_t       *lookup_indexes /* OUT */) const
   {
-    return (this+substitutions).collect_lookups (feature_indexes, lookup_indexes);
+    return (base+substitutions).collect_lookups (feature_indexes, lookup_indexes);
   }
 
   bool sanitize (hb_sanitize_context_t *c, const void *base) const
@@ -2423,7 +2424,7 @@ struct FeatureVariations
 			hb_set_t       *lookup_indexes /* OUT */) const
   {
     for (const FeatureVariationRecord& r : varRecords)
-      r.collect_lookups (feature_indexes, lookup_indexes);
+      r.collect_lookups (this, feature_indexes, lookup_indexes);
   }
 
   bool sanitize (hb_sanitize_context_t *c) const
diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5167653459329024 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5167653459329024
new file mode 100644
index 0000000000000000000000000000000000000000..fe83d24a9b4e841d0b19d2f99108348ab26e3c4d
GIT binary patch
literal 46
ncmZQzWME)mR8aV@prGI$9O?vO14RTFSb-!Tlm}J=<g)<)al`|F

literal 0
HcmV?d00001

diff --git a/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5642531954229248 b/test/fuzzing/fonts/clusterfuzz-testcase-minimized-hb-subset-fuzzer-5642531954229248
new file mode 100644
index 0000000000000000000000000000000000000000..8631cd645ee1b1632977d448f8297cb5329836d1
GIT binary patch
literal 46
pcmZQzWME)mR8aV@prGI$;2#WP14RTFn1Cc710xUu<$)Lkm;i4T13>@)

literal 0
HcmV?d00001